Your OneTrust account can be hosted in one of two ways: 1) with cloud hosting provided by OneTrust or 2) in a dedicated cloud environment managed by OneTrust. There are some differences and requirements of which you should be aware when you select a hosting option.
OneTrust cloud hosting is provided by Microsoft Azure with localities in the United States, Canada, Brazil, United Kingdom, Europe, Australia, and Asia. Microsoft's cloud infrastructure has the following certifications and attestations: ISO/IEC 27001:2013, ISO 27017/27018, SSAE 16/ISAE 3402 SOC 1 Type 1 and Type 2, AT Section 101 SOC 2 and 3 Type 1 and Type 2, and FedRAMP certification and accreditation.
OneTrust LLC’s Information Security Management System (ISMS) is ISO/IEC 27001:2013 certified as reflected in the certificate found here.
OneTrust LLC’s Privacy Information Management System (PIMS) is the first in the world to become ISO/IEC 27701:2019 certified as reflected in the certificate found here. The PIMS is comprised of components, network devices, and software that are operated by OneTrust employees within its defined system physically operating within the Microsoft Azure production accounts used to make OneTrust Privacy, Security, and Third-Party Risk software available to customers.
OneTrust has completed a Type 2 SOC for Service Organizations (SOC 2 Type 2) examination as of February 27, 2020.
OneTrust Hosting Locations & IP addresses
OneTrust cloud hosting is provided through Microsoft Azure in the following data center locations:
The following table details the data center hosting locations and Admin Portal IP addresses for each OneTrust application environment. These IP addresses can be used to safelist communication from OneTrust in your network.
The table includes IP addresses that use Classless Inter-Domain Routing (CIDR) notation, such as 20.54.106.120/29. In CIDR notation, IP addresses are written as a prefix (20.54.106.120), followed by a suffix that indicates how many bits are in the entire address (29).
For example, when 20.54.106.120/29 is mentioned, the IP addresses 20.54.106.120, 20.54.106.121, 20.54.106.122, 20.54.106.123, 20.54.106.124, 20.54.106.125, 20.54.106.126, and 20.54.106.127 should be safelisted. In another example, when 13.86.126.174/32 is mentioned, only the IP address 13.86.126.174 should be safelisted as 32 refers to a single IP address. You can use this subnet calculator to enter the CIDR IP address for additional details on the IP range.
Note
The OneTrust application provides multiple options to deliver email notifications, as detailed here. Based on your selected email server configuration, email notifications will be delivered in one of the following ways:
-
For Custom SMTP Relay or Microsoft Exchange Online: Emails are sent from the OneTrust application to the customer's SMTP server or Microsoft Exchange server from the IPs listed in the table below. The customer's SMTP server or Microsoft Exchange server then delivers the email to the recipient (e.g. data subject, vendor, etc.).
-
For Default Configuration or Send on Behalf of my Domain: Emails are delivered directly to the email recipient (e.g. data subject, vendor, etc.) via the OneTrust cloud email platform.
The automated security of the OneTrust cloud email platform ensures that customers do not manage the DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF). The IP addresses used for email delivery are not published for this purpose, which therefore eliminates the need to rotate DKIM keys or update SPF for IP changes. If you require IP safelisting for email delivery within your internal teams, OneTrust recommends using the Custom SMTP Relay or Microsoft Exchange Online configuration.
Note
Traffic originating from OneTrust to the customer network, such as for an integration endpoint (if applicable), SMTP server endpoint (if applicable), etc., will use the following OneTrust egress IPs. If your network team safelists OneTrust egress IPs, you are encouraged to review and update your firewall.
OneTrust Web Scanner Locations & IP Addresses
The following table details the Web Scanner Locations and IP addresses for each OneTrust application environment. These IP addresses can be used to safelist communication from OneTrust in your network. The Web Scanner IP addresses for all OneTrust environments are also available as an IP text list here.
The table includes IP addresses that use CIDR notation, such as 20.54.106.120/29. You can use this subnet calculator to enter the CIDR IP address for additional details on the IP range.
Note
Traffic originating from OneTrust to the customer website when a cookie scan is initiated will use the following OneTrust egress IPs. If your network team safelists OneTrust egress IPs, you are encouraged to review and update your firewall.
OneTrust Backups of Hosted Accounts
Backups for cloud-hosted implementations are managed, performed, and tested by Microsoft Azure. Azure provides a 14-day backup to prevent against accidental data deletion and uses transactional log backup for Azure SQL, as detailed in Microsoft's Automated backups in Azure SQL Database article. The entire database is backed up, with the ability to create a database from backup at any point in time with up-to-the-second level of granularity within the last 14 days. For details on the frequency of backup, see Azure SQL Database Backup Frequency. Backups are stored encrypted with Azure Transparent Data Encryption AES-256. For Disaster Recovery requirements, all backups are replicated by Azure from the Primary Hosting Location to the respective paired Disaster Recovery Hosting Location.
OneTrust Supported TLS Protocols
The following table outlines the supported Transport Layer Security (TLS) protocols with applicable ciphers for OneTrust's cloud environments as of June 6, 2023:
Convercent Hosting Options, Locations, & Backups
Convercent, a OneTrust Affiliate, uses the following hosting options, locations, and backups. For more information on OneTrust Affiliates, see List of Subprocessors.
Convercent Hosting Options
Your Convercent account can be hosted in one of two ways: 1) with cloud hosting provided by Convercent 2) in a dedicated cloud environment managed by Convercent.
Convercent cloud hosting is provided by Microsoft Azure with localities in the European Union (Dublin, Ireland, or Amsterdam) or in the US (Seattle or Cheyenne).
Convercent Hosting Locations and IP Addresses
Convercent cloud hosting is provided through Microsoft Azure. Customers have a choice of choosing to store data in the following data center locations: in our EU hosted environment (Dublin, Ireland is primary, and Amsterdam is Disaster Recovery (DR) site) or our US hosted environment (Seattle is primary and Cheyenne is DR site).
Convercent Backups of Hosted Accounts
Backups for cloud-hosted implementations are managed, performed, and tested by Microsoft Azure. Private Convercent customer data is stored at the Microsoft-hosted data center facilities. Backup and retrieval of company data is important for our customers and therefore real-time data replication, daily backups, weekly backups, monthly backups and offsite storage are all part of the Convercent backup policy. All data is permanently purged from the backup servers after 365 days.
Tugboat Logic Hosting Options, Locations, & Backups
Tugboat Logic, a OneTrust Affiliate, uses the following hosting options, locations, and backups. For more information on OneTrust Affiliates, see List of Subprocessors.
Tugboat Hosting Options
Your Tugboat Logic account can be hosted in one of two ways: 1) with cloud hosting provided by Tugboat Logic 2) in a dedicated cloud environment managed by Tugboat Logic.
Tugboat Logic cloud hosting is provided by Amazon Web Services (AWS) with localities in the United States (us-east-1 with backup in us-west-2), Europe (eu-central-1 with backup in eu-west-1), and Canada (ca-central-1).
Tugboat Logic Information Security Management System (ISMS) is ISO/IEC 27001:2013 certified as reflected in the certificate found here: https://resources.tugboatlogic.com/rs/471-GKD-174/images/Signed_FINAL_ISMS_Certificate_Tugboat.pdf
Tugboat Hosting Locations and IP Addresses
Tugboat Logic cloud hosting is provided through AWS in the following data center locations:
Tugboat Backups of Hosted Accounts
Backups for cloud-hosted implementations are managed and performed by AWS. Backups are tested by Tugboat Logic on a periodic basis. Backups are stored encrypted with AES-256.
The following responses are supported solutions to frequently asked questions (FAQ) about the OneTrust application. The OneTrust team continuously monitors these inquiries and will make additional FAQ available as they are identified.
|
1.
|
I performed a trace and see an IP address that looks like it is from a different location. Is this a performance issue?
|
|
Our cloud hosting utilizes Cloudflare for performance and security. Cloudflare utilizes the Anycast routing method, which allows multiple machines to share the same IP address. Though it may look like the IP address is from a location other than the data center outlined, in reality, the requests you make will be directed to the machine in the data center closest to where you made the request. This allows requests to be routed using a faster and more reliable network path.
|
|
2.
|
What are the hosting options, locations, and backups for OneTrust Affiliates?
|
|
OneTrust Affiliates such as Convercent and Tugboat Logic implement the following hosting options, locations, and backups. For more information on OneTrust Affiliates, see List of Subprocessors.
|
